This section guides you through the process of setting up remote FortiAPs to work with FortiGates:
- Configuring FortiGate before deploying remote APs
- Configuring FortiAPs to connect to FortiGate
- Final FortiGate configuration tasks
- Ensure that your FortiGate has an existing wireless SSID configured in tunnel mode.
- For more information on configuring SSIDs, refer to Defining a wireless network interface (SSID) in the FortiWiFi and FortiAP Configuration Guide.
For the best security practices, set up WPA2/Enterprise for SSIDs used by remote clients. You can use RADIUS Server for PEAP Authentication using MS-CHAPv2 and install a trusted Root CA certificate on all devices that connect to the secure SSIDs.
For more security, you can use Client Certificates instead of MS-CHAPv2. For more information, refer to the FortiAuthenticator Cookbook.
- If you plan on deploying the FortiAP from FortiAP Cloud, ensure you have a Fortinet Support Account at https://support.fortinet.com.
- Ensure the internet bandwidth at the site where the FortiGate is located can handle the extra load needed for the remote APs.
Determine if you want to tunnel all traffic from the remote wireless client to the FortiGate or just a select subset of the internal or corporate networks (Split Tunneling).
If you are only tunneling a subset of your internal or corporate networks, a security client such as FortiClient with URL Filtering and Anti-malware (or another security product) should be used to protect the remote client from becoming compromised and used to access corporate resources.
- Determine how remote sites will provide IP address to the remote AP once it's deployed.
You can refer to the following guides for either using FortiAuthenticator (FAC) or Microsoft NPS Server as a RADIUS server:
- WiFi RADIUS authentication with FortiAuthenticator in the FortiAuthenticator Coookbook.
- WiFi with WSSO using Windows NPS and user groups